[Dnsmasq-discuss] rebind-protection vs servers-file

Simon Kelley simon at thekelleys.org.uk
Mon Nov 24 21:02:04 GMT 2014


On 22/11/14 23:06, Dave Taht wrote:
> I have been fiddling with improving my internal dns, by creating a
> file that has all my internal dns servers in it that I can easily copy
> everywhere.
> 
> Example serversfile.
> 
> server=/rossow.r.lupinlodge.org/172.23.143.9
> rev-server=172.23.8.0/23,172.23.143.9
> 
> server=/lodge.r.lupinlodge.org/172.23.143.7
> rev-server=172.23.6.0/23,172.23.143.7
> 
> and Adding the one line of parsing needed in openwrts dnsmasq script...
> 
> with rebind-protection enabled I get an error if trying to ping
> rossow.r.lupinlodge.org
> 
> with it disabled, it does the right thing.
> 
> Will fiddle some more
> 

So dnsmasq is forwarding the query for rossow.r.lupinlodge.org and
getting an RFC 1918 address back as the answer? That will trigger the
rebind protection, which does nothing more than disallow RFC1918
addresses in answers from upstream servers; it's not very bright. As far
as I can see, rebind protection is fundamentally incompatible with the
network-of-dnsmasq instances you're experimenting with, since RFC1918
addresses as answers from other dnsmasq instances are required.


Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list